EU court backs EU data protectors over Irish regulator

Can the European Data Protection Board (EDPB), as a higher-level body, give the Irish data protection authority a leg up in enforcing the General Data Protection Regulation (GDPR)? The General Court of the European Union (EGC) ruled on Wednesday: yes. The Luxembourg judges justified this with the will of the EU legislator. The latter had stipulated that "persistent differences of opinion between the supervisory authorities concerned as to the scope of the analysis of a case and, where appropriate, as to the scope of the investigation carried out in this regard – should be settled within the framework" of the coordination procedure within the EDPB.

The Data Protection Commission (DPC) in Dublin is responsible for "big fish" such as Google, Meta, Apple, Microsoft, TikTok & Co. because they have their European headquarters in Ireland. However, it has long been seen as a bottleneck in GDPR enforcement. There are often disputes in the Data Protection Committee about the DPC's draft decisions. This triggers complicated and lengthy mutual agreement procedures in which the Irish authority is usually outvoted. In some cases, however, it would rather not leave it at that.

The recently decided cases T-70/23, T-84/23 and T-111/23 concerned EDPB decisions from December 5, 2022, according to which Meta unlawfully exploited the personal data of users for advertising purposes without their consent in accordance with Article 6 GDPR. In essence, the case concerned the data protection provisions that the US company applied to its subsidiaries Facebook, Instagram and WhatsApp. Meta already offered an opt-out for the evaluation of user behavior on third-party websites and apps. At the time, however, users did not have a choice regarding the use of their personal information on Facebook and Instagram for personalized advertising.

Meta wanted to offer targeted advertising as a service

For years, Meta relied on the trick of passing off its data mining as a service for the users concerned. The DPC tried to influence the EDPB guidelines for the interpretation of the GDPR in favor of the platform operator. Ultimately, it wanted to nod off Facebook's consent trick, but did not get through to the EDPB. The association of European state data protection controllers also ruled that the Irish authority should also have investigated the analysis of sensitive data under Article 9 GDPR for targeted advertising. In November 2023, the EDPB also instructed its colleagues in Dublin to extend the Norwegian ban on behavioral advertising to the whole of Europe.

The DPC refused to comply with the first binding decision after a delay of more than four years. It applied to the EGC for the partial annulment of the EDPB decisions. They ordered it to carry out new investigations into the data processing associated with the use of Facebook, Instagram or WhatsApp and to prepare supplementary draft decisions on this basis. The judges have now rejected the complaints: the interpretation of the law clearly shows that the EDPB is authorized to issue instructions such as the contested ones.

DPC: Masterful grotesque evasive maneuvers

According to the EGC, the DPC's argument that only the national courts can review objections in connection with the investigation falls flat. It is important that the bodies monitoring the supervisory authorities are just as independent as the supervisory authorities themselves. This applies to the EDPB, as it consists of controllers from the Member States and the EU Data Protection Supervisor. The latter, in turn, is an independent body vis-à-vis the institutions it supervises and other authorities of the Union. Both sides have two months and ten days from the date of notification to lodge an appeal with the European Court of Justice (ECJ) against the ruling, which is not yet final.

Max Schrems, Chairman of the Austrian civil rights organization Noyb, which initiated the case with a complaint in 2018, is pleased with the decision. However, he pointed out that it also means that the case is "starting from scratch again" after more than six years. It will probably take another few years before the DPC and the Irish courts before the legal situation is finally clarified. The Irish supervisory authority is "a master of grotesque evasive maneuvers and procedural loops – with the result that US Big Tech never receives a penalty". After many complaints, the EU Commission has also made an attempt to solve the DPC problem.

(mma)